Cybersecurity has become an enterprise-level risk in healthcare and should be managed like one, CynergisTek says.
The number of providers victimized by hacking attacks rose by 320 percent from 2015 to 2016, according to “Breach Report 2016: Protected Health Information,” a study from consulting firm CynergisTek.
What’s more, 81 percent of records breached in 2016 were the result of hacking attacks.
CynergisTek’s seventh annual study provides an analysis of the causes of PHI breaches reported to the Department of Health and Human Services and the overall state of cybersecurity in healthcare.
“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” CynergisTek vice president Dan Berger said. “The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records compromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond.”
The “Breach Report 2016” study also found that: 325 large breaches of PHI occurred, compromising 16,612,985 individual’s record while 3,620,000 records were breached in the year’s single largest incident.
Seventy eight percent of records breached in 2016 occurred at healthcare provider organizations and 40 percent of large breach incidents involved unauthorized access or disclosure.
In terms of fines, $23,505,300 was paid to the HHS Office for Civil Rights in 2016 to resolve HIPAA violations that occurred at 13 provider organizations during 2012-2013
While several large healthcare organizations were targeted by hackers in 2016, the majority of attacks occurred at smaller clinics, the study found.
And 2016 marked the first year a hospital was struck by a ransomware attack.
Risks are no longer just about loss or theft of data. The ransomware attacks of 2016 show how security incursions can restrict the availability of health data to providers, impacting their ability to deliver care. DDoS attacks launched internally from Internet of Things or medical devices can potentially result in the same problem, or worse.
“Healthcare cybersecurity has become an enterprise-level risk and should be managed like one,” CynergisTek said. “No longer the purview of IT, it is a cross-functional issue with far-ranging implications on operations, finance, legal, HR, procurement, reputation, and most importantly, patient care. The stakes are high enough to demand active involvement and participation from senior executives and Boards of Directors.”